Indian police have arrested two men who allegedly circumvented a bank's two-factor authentication protection and looted online accounts.
The pair are suspected of buying victims' personal details from other crooks and then tricking mobile phone companies into giving the duo replacement SIM cards. Anyone in possession of these …

Whose 'fault' ?

Now what doesn't get mentioned is who is going to put the money back into the bank account. Is the phone company going to do anything other than 'adjust' the bill for that month's service? Is the bank going to say "hey we just used the phone number you told us to use"?

So this poor sot used the gold standard of two-factor security and gets taken anyway. And likely nobody is going to make the failure good.

Re: Whose 'fault' ?

IANAL but from my viewpoint, it's the banks fault. They paid money to somebody who wasn't the rightful recipient. End of story. It makes no difference if the thieves cloned a phone, wore a false moustache, or just said "this is my account" while waving their hand. It's up to the BANK to verify the identity of the recipient. And it's up to the BANK to devise a system that does that.

The logical conclusion of any other way of looking at it (i.e. it's not the banks fault) means that if the banks computers were hacked, or stolen, or if their data centre when "boom", would be that all account holders would suddenly have no balance, and the bank would just say "oops".

Lackeys?

Suggestion

Before issuing replacement sims, how about sending a text message saying so to the original sim. If that sim is still in use, then the recipient gets the chance to prove ownership and prevent the replacements from being activated, or, at worst, to amend any security that relies on the associated mobile number.

Longer term, banks should work with the mobile telcos and come up with a service where the IMEI and/or the sim are validated before delivering the PIN, so that a replacement sim or in a different phone does not deliver the PIN.

Is this not a wakeup call for Banks and telcos to beat the RNG/fob

Key thingy? I have a friend in China who is a foreigner, and he does all his banking via the RNG/lookup thingy. Even if his phone is cloned or the SIM card is cloned, the attackers still need a bit more to compromise him or his banking funds.